ASUS DSL-G31 – connection to ADSL or Ethernet providers

After moving to a new place users often have to change their provider, and this change may also mean a change in the connection technology, which will inevitably drive previously purchased network equipment out of use. For instance, if one provider used the ADSL technology, then after switching to Ethernet the subscriber will have to change his router as the one he owns hasn’t got the necessary Ethernet WAN-port. Fortunately, switch chips used in modern network equipment are managed, which makes it possible to assign one or more LAN-ports to special needs. One of such needs may be the necessity to connect to Ethernet providers. The idea of this scheme is to exclude a certain LAN-port from the switching engine and use it specifically to connect to the operator. This scheme used to be available to those select few enthusiasts who were guru of BusyBox and Linux. However, these days it’s available to any user whose knowledge of network technologies is quite superficial. This facility appeared owing to the releases of new official firmware which allows choosing a WAN-port for connecting to a provider. An example of a device which has such peculiar firmware is ASUS DSL-G31, and in our review we will not only look at traditional ADSL-modem/router features but also at its ability to connect to Ethernet providers.

The Wireless ADSL2+ modem is performed in a square white plastic case with rounded corners. The device is powered by an external power adapter which provides 1A of direct current at 12V voltage, thus the maximum electricity consumption of the gadget shouldn’t exceed 12 Watts. The weight of DSL-G31 itself without the antenna and the power adapter is 300 grams. The dimensions are 173*129*33 mm.

The upper panel has a ventilating grate and an embossed vendor name. Four soft rubber stands are glued to the bottom to put the device on the table. It’s also possible to mount the device on the wall for which there are two T-shaped holes. On the bottom there are also vent holes and a sticker with the brief information about the device.

The side panels of the wireless ADSL2+ router are quite featureless; there’s only an outer antenna connector on one of them.

Now let’s turn to the back panel where there’re four Fast Ethernet ports. When using DSL-G31 with old original firmware these ports could only be used to connect up to four wire devices to the user’s local net. In the section devoted to the web-interface we will speak about the features of the new firmware in more detail. Also on the back panel is a port for connecting to ADSL-providers with the help of the RJ-11. Here you will also find a power slot and an on/off button. The recessed Reset button allows resetting DSL-G31 to factory defaults.

Now let’s look at the front panel. Here, besides the name of the device, are 8 indicator lights (Wireless, LAN1-LAN4, Internet, DSL and Power), showing the state of the device itself and its ports.

All the ADSL-modem inside parts are put on one green textolite board. Its elements are placed on both sides.

The RAM memory is provided by two ESMTM12L64164A chips working at 143 MHz. Each of these memory modules is of 8 Mbyte, consequently the device can work with 16 Mbyte of RAM altogether.

The diagram of the chips under consideration is shown below.

The processing of ADSL2+ is performed by a BCM6348SKFBGBroadcom chip, with an imbedded MIP32 processor. The following annexes are supported: A, B, C, J, I, L, and M. The scheme of the installed Broadcom BCM5325EKQMG switch with five Fast Ethernet ports is presented below. Two HST-2027DR GROUP-TEK chips are responsible for wire physics.

The wireless part of DSL-G31 is represented by a BCM4318KFBG Broadcom module working on 802.11b/g standards. By the way, the pigtail for the outer antenna is simply soldered to the board, which makes the whole construction undismountable. Flash memory is presented by a 4 Mb KH29LV320DBTC chip.

There’re three ways to change the version of the modem firmware: via HTTP web-interface, with the help of file transfer protocols FTP/TFTP or using the firmware recovery utility. First we decided to take the way traditional for SOHO equipment – to use the HTTP protocol. To get additional functionality (using one LAN-port as WAN) it is necessary to have modern firmware with a “dual” index. At hand we had a 3.0.1.9.A_dual4 version to which we’ll be upgrading.

To upgrade via web-interface you have to open the Firmware upgrade tab in the Administration menu. There you choose the necessary image file and click Upload.

The whole upgrade process takes around two minutes, of which the pop-up window informs. To verify the fact that the firmware has been really upgraded, one has to read the heading of the web-page which says the uptime of the device, the name of the wireless network and the firmware version.

Now let’s try to upgrade the firmware with the help of TFTP. For this in the telnet session we’ll turn to the Update Software tab of the Management menu. TFTPD32 version 3.35 was used as a TFTP server.

After which the telnet session is broken and two minutes later the router is ready to work again.

We have found another interesting way of changing firmware. It also uses the TFTP protocol, but this time you’ll need not a TFTP server but a client. The only thing you have to do is to copy the required firmware file via the TFTP protocol to the “server” running on DSL-G31. And again the router will be ready to work in two minutes.

Getting ahead of ourselves we have to note that testing and studying the features of the command line resulted in finding an open FTP port. Naturally, we tried to copy firmware through it as well. Our attempt was a success.

The only way of firmware update/recovery we haven’t described yet is using the firmware recovery utility. Unfortunately this software doesn’t go with the DSL-G31 utility set, so we took it from the ASUS RT-N16 set. The firmware recovery program allows loading the firmware image only to the devices in the local segment and turned into the rescue mode where the boot loader works. ASUS DSL-G31 may get into this mode as a result of some malfunction like after a power switch off while in the standard firmware update process. You can turn the device in this mode manually; for this you have to press the Reset button on the back panel of the ADSL router, switch the power on and wait for the power indicator to start flashing slowly (5-10 seconds). The recovery process is very simple: you specify the file with working firmware and click Upload; the utility will by itself detect the problem device and recover it.

Naturally, we captured the dialogue between the recovery utility and DSL-G31 with the help of a network analyzer Wireshark version 1.4.1. There’s nothing extraordinary in this dialogue: the process of searching for the problem device and transfer of the firmware image file via the TFTP protocol.

It’s also possible to recover firmware manually. For this you should connect to one of the DSL-G31 LAN ports using 192.168.1.2/24 IP-address. To check whether the device is really in the rescue mode use ping. In the regular mode the router ICMP echoing back comes with TTL=64.

Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

In the rescue mode, when the answer is sent by the boot loader, the router sets TTL=100. By the way, the boot loader always uses 192.168.1.1 address.

Reply from 192.168.1.1: bytes=32 time<1ms TTL=100

After checking the availability of the boot loader we transfer the firmware image file via the TFTP protocol as described above. Now we only have to wait for DSL-G31 to save the new firmware version (a couple of minutes) and reload the device.

It’s possible to manage ASUS DSL-G31 with the help of the command line interface that is organized as a menu. Let’s study the command line features in more detail. After entering correct logon information (the defaults are admin/admin) the user gets into the main menu. It should be noted that several simultaneous telnet sessions are allowed. From now on all unnecessary line feeds are deleted.

C:\>telnet 192.168.1.1BCM96348 ADSL RouterLogin: adminPassword:Note: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends. Main Menu1. ADSL Link State2. LAN3. WAN4. DNS Server5. Route Setup6. NAT7. Firewall8. Quality Of Service9. Management10. Passwords11. Reset to Default12. Save and Reboot13. Exit ->The first point of the menu shows the state of the ADSL line. ADSL Link Infoadsl: ADSL driver and PHY statusStatus: IdleLink Power State: L0Hit <enter> to continue

The second point (LAN) is responsible for configuring LAN-interfaces. With its help one can configure the IP-address and the subnet mask for the local interface as well as the DHCP-server parameters.

You can create, look through and delete WAN-interface settings via the same-name menu point #3. We’d like to note that the command line interface only allows working with the connections through the ADSL-port. The connection to the provider through the LAN-port is still only possible with the help of the router’s web-interface.

The NAT point allows indicating a node in DMZ or configuring port redirection to inner services.

NAT Menu1. Virtual Server2. DMZ3. Exit/ NAT ->

In point #7 Firewall you can configure filtration by MAC-addresses or by IP-addresses and TCP/UPD ports. We were pleasantly surprised by the possibility to set an access list letting allow and/or prohibit certain outgoing connections. These rules don’t work when addressing DSL-G31 itself. To adjust access to the router you’ll have to turn to point #9 Management.

Let’s look at point #9 Management which allows making configurations related to the work parameters of the device itself. Sub-point #1 Settings lets you save, show or recover DSL-G31 settings. The parameters of sending log information to the Syslog-server may be set in sub-point #2 System Log. In sub-point #3 SNMP Agent you configure access via the SNMP protocol. One more interesting sub-point here is Access Control where you set access parameters to inner services (FTP, ICMP, HTTP, SNMP, SSH, TELNET, TFTP) of the modem. Unfortunately we failed to connect to the tested router with the help of SSH, no matter that all permissions were created. If you need to let only certain IP-addresses access the DSL-G31 settings, you should turn to sub-point #2 IP Addresses in the Access Control group.

The only thing left to describe in this section is password management which can be performed in point #10 Passwords. There’re three users in the device: Admin, User and Support whose passwords are admin, user and support, respectively. But unfortunately via telnet it’s only possible to log in as Admin.

The data presented give the administrator information on processes ongoing at the moment of rebooting as well as average load of the router within last 1, 5 and 15 minutes.

After we’ve finished with this section we broadened telnet access to ASUS DSL-G31 as we managed to get access to the command line itself. For this you only have to write the sh command instead of specifying the menu point number. Generally, all commands available in the command line may be run from the menu; we still preferred not to display the menu points. As is traditional for this type of devices, the command shell has the ancient 1.00 version of Busybox.

With the help of uptime and loadavg files in the /proc directory one can estimate the load of ASUS DSL-G31. In the cat uptime output there’re two numbers which are the working and idle time of the router, respectively. The first three numbers in the cat loadavg output show average load of the device within last 1, 5 and 15 minutes, respectively. As we see, at the moment our router is not heavily loaded. Similar information may be got from the command sysinfo.

Naturally we couldn’t help studying the nvram utility which allows looking though and changing important parameters in other Asus devices; however, in DSL-G31 nvram doesn’t show actual data and doesn’t allow changing configuration.

We’re not going to describe all the features of the DSL-G31 web-interface in detail; we’ll only mention the most interesting ones. However, first things first. When the user addresses 192.168.1.1 he is asked for his login and password which are by default admin/admin.

Upon successful authentication the user finds himself on the main page of the device. The interface can go in one of seven languages: Czech, German, English, Italian, Polish, Russian or Turkish.

We don’t often use setting wizards, but this time we would like to speak about such a wizard in more detail. The thing is that in its firmware ASUS has implemented a feature which we lacked so much in ZyXEL NetFriend – the device itself supports the list of providers without any utilities that have to be additionally installed and connected… Besides, not all operating systems permit such installation. The quick internet setting wizard allows choosing your provider from a list on the web-page of the modem, set you login and password and… and that’s all – you can start working in the internet straight after rebooting.

The process described above takes place if DSL-G31 isn’t connected to a provider when it’s being configured or it failed to identify him correctly. If the provider is identified by the device’s automatic scanning, the process of connection gets even simpler.

Now let’s move to additional settings that are outside the wizard.

The DSL-G31 wireless network allows wireless clients to connect using 802.11b and 802.11g (tab General in the Wireless group). In the list of available modes there’s 802.11g LRS (Limited Rate Support) for compatibility with older clients.

ASUS DSL-G31 supports operation in the access point mode, wireless bridge mode or hybrid (tab Bridge in the Wireless group).

In the LAN group on the Route tab you can add static routes, but we failed to make them work.

The point IGMP Snooping in the LAN group is responsible for managing processing multicast traffic. The IGMP Snooping mode allows setting how many members the router would announce to the sender; this setting allows decreasing the source load.

Additional DSL parameters are configured on the DSL Settings tab in the WAN group; here you can permit or prohibit annexes. The page under discussion used to be hidden and only available under direct addressing http://192.168.1.1/adslcfg.html.

In the Firewall group (it appears in _dual firmware) there are two tabs: LAN to WAN Filter and Parental Control. It was the latter that captured our attention. Here, parents can configure time intervals in which children’s computers and notebooks will be allowed to connect to DSL-G31 and consequently to the global net. Alas, such protection can be easily come round by changing the MAC-address on the NIC of the controlled computer. However, if the kid doesn’t have administrator’s rights on his computer, the protection may well be effective.

You can control access to the services of DSL-G31 itself on the Services Control tab in the menu point Administration. Here you permit or deny access to the modem via HTTP, ICMP, TFTP, Telnet and FTP protocols. There’s no mention of SSH access in the web-interface.

The Device Info group lets you look through the information on addresses lease with the help of DHCP, wireless network clients, the DSL-G31 routing table and the existing ARP-table.

Log data can be stored either locally or on a remote Syslog server. The respective parameters are configured on the System Log tab in the Log & Statistics menu.

Statistical data on the work of LAN and WAN interfaces as well as on the state of the ADSL line and ATM statistics may be obtained on LAN & WAN, ADSL and ATM tabs.

We’re not going to give a detailed review of all options of SNMP-access, we’ll only speak of several parameters that can be obtained and installed with the help of the same-name protocol. To get access via the SNMP-protocol, with the help of a telnet session one first has to start the SNMP-agent itself (Management-SNMP agent) and then permit access to the running SNMP-daemon (Management-Access Control). The rules configured above come into effect after rebooting the router (Save and Reboot). Unfortunately, it’s only possible to perform all the described actions via a telnet session as there’re no SNMP settings in the web-interface. For management we chose a rather simple Getif utility the Parameter tab of which is shown below.

Altogether we found seven interfaces.

Now let’s move to the MBrowser tab in which all available parameters situated in the .iso.org.dod.internet.mgmt.mib-2.system and .iso.org.dod.internet.mgmt.mib-2.interfaces branches are gathered. The first group lets you read and change such parameters as the name and the description of the device, its uptime, location, administrator’s contacts, etc.

In the .iso.org.dod.internet.mgmt.mib-2.interfaces branch you’ll find all information regarding the state of the interfaces, there working speed, the number of errors and the volume of normally transmitted data, the maximum transmitted units (MTU), etc.

The calculation of bytes transmitted and received through ADSL is made in the second and third interfaces.

Here we finish the review of the access options to DSL-G31 via the SNMP-protocol.

Another way of managing the tested ADSL-router is using a special utility program EZ Setup Wizard whose main aim is to simplify the process of connecting ASUS DSL-G31 to the internet. By its functionality the utility under consideration reminds of ZyXEL NetFriend, but it only allows you to choose a provider to which you’re connecting. Unfortunately, EZ Setup Wizard has only russian interface. The whole configuration process is presented below.

Naturally, we couldn’t help capturing the whole process of data exchange between the utility and the modem. It turned out that first there’s a broadcast of five UPD-datagrams to which come five responses from the router. Then the router is considered to have been detected and user settings are transmitted to it. All UDP-datagrams are sent from the 9999 port of the PC to the same 9999 port of DSL-G31.

The result of such configuring is the router’s ability to connect to the chosen provider; however, all the device settings get reset, i.e. the login and password become admin/admin regardless of what they used to be before the utility was run. We think this to be a serious insecurity. Of course, we reported this to the vendor.

The ASUS EZ Setup Wizard utility may only be used as a means of initial router configuration; the same results may be got with the help of the DSL-G31web-interface wizard.

Traditionally we start the testing section with determining the booting time of the equipment in question. By booting time we mean the time interval from switching power on to the arrival of the first echoing back via the ICMP protocol. ASUS DSL-G31 boots in 20 seconds; it seems to us to be a very good result.

The second routine test is the router’s security test that is held from a local net with the help of a network security scanner by Positive TechnologiesXSpider 7.7 (Demo Build 3100). Altogether we found six open ports: TCP-21 (FTP), TCP-23 (Telnet), UDP-53 (DNS), UDP-69 (TFTP), TCP-80 (HTTP) and TCP-18017 (HTTP). Of course we were surprised to find an open TCP 18017 port with HTTP on it.

We used a browser to address this port. Below is the page displayed when this port is addressed.

Below are the most interesting insecurities we found and information on open ports.

It all could be quite alright, but the presence of a DoS-attack against DNS is quite frustrating.

We also decided to measure the temperature of the router surface while it was in operation. It turned out that the upper panel heats up to 49.8°С.

For many potential users of the device the most important part of the review are the measurements of the router’s performance. We certainly complied. We didn’t check the speed of data transfer via the ADLS-link as in this test all SOHO-routers show nearly the same decent results. We concentrated on the wireless part of DSL-G31 and its work as a regular router in Ethernet networks. In our performance tests we used 3.0.1.9A_dual6 firmware version. As a wireless NIC we used a USB key-type adapter ASUS WL-167g; all other parameters of the computers used in the test are presented below.

During the experiment we came across somewhat strange behavior of the virtual servers configured on the router. For instance, from the LAN-segment of DSL-G31 one could both access the internet through the PPTP provider’s tunnel and the local network computers (not via VPN); however it was only possible to use virtual servers through the tunnel. It means that the provider’s clients don’t get access to the local resources of the router’s users, whereas the internet users can have this access via VPN. On the DSL-G31 WAN-interface we’d also find handy the possibility to choose the connection type not only from the tunnels (PPTP, PPPoE and L2TP), but from the regular Static IP or Dynamic. We hope that these connection types will appear among available WAN connection types in further firmware versions as when the article was being written the functions of connecting to Ethernet providers were in beta-testing.

The transfer speeds obtained in the test are presented in the table and diagram below. It’s worth noting that the speed was practically independent of the number of data streams.

We have tested an ADSL-router ASUS DSL-G31 which can be categorized as a low-end model for ordinary users. Firmware for this model is developing dynamically, for instance, DSL-G31 can now be used as a regular wireless router for connecting to Ethernet providers. In this case the LAN1 port of the device is used as a WAN-port.

Let’s list the advantages of the device.

• The possibility to connect to both ADSL and Ethernet providers.• Various ways of updating and recovering the firmware.• The presence of a settings wizard with a list of supported providers embedded in the firmware itself.• The possibility to get access to the device for managing either via HTTP, Telnet and SNMP protocols or with the help of a special utility.• Support of several languages in the web-interface.• Quick booting of the device.• Reasonable price.

However we can’t but point at some minuses.

• Non-availability of Static IP and Dynamic modes for connecting to Ethernet providers.• Non-availability of the possibility for a user in the provider’s local net to access virtual servers.• Crudeness of the current firmware version.• The possibility of an attack on the router’s DNS-server.• The possibility of an attack from LAN via EZ Setup Wizard.• Rather low routing speed.

When the article was being written the price for ASUS DSL-G31 in Moscow internet shops was 2000 rubles.